Unsupervised Machine Learning Engine

Detect New and Unknown Attacks Before Damage is Done

Problem

Existing abuse, fraud, and money-laundering solutions utilize rule engines and supervised machine learning models. These techniques suffer from many limitations that can be easily exploited by sophisticated attackers.

Unable to Detect New Attacks

To detect attacks, existing solutions rely on human experience to create rules or labeled training data to tune models. This means they are unable to detect new attacks that haven’t already been identified by humans or labeled in training data.

Unable to Catch Incubating Attacks

Prior to an attack, sophisticated attackers discretely incubate accounts to give them realistic-appearing activity histories. These sleeper cells appear benign before they initiate fraudulent or abusive behaviors. Existing solutions cannot detect these sleeper cells until after they have exhibited malicious activity and caused damage.

Unable to Discover Correlated Attack Patterns

Modern attackers are distributed and coordinated, and often mimic legitimate user behavior to evade detection. Most existing solutions are only able to analyze accounts in isolation and thus cannot differentiate between the attackers’ incubating accounts and legitimate ones.

Solution

The DataVisor Unsupervised Machine Learning (UML) Engine addresses these key limitations. It processes all events and account activities simultaneously to analyze the patterns across hundreds of millions of accounts. This allows it to detect suspicious connections between malicious accounts, even when those accounts are incubating, mimicking legitimate user activities, or changing attack techniques. It also allows the UML Engine to detect all the members of an attack ring at once, ensuring the attack is fully stopped.

Caption Left: A supervised ML or regression based model only views each account in isolation, which is analogous to viewing this painting one dot at a time.

Caption Right: DataVisor’s UML Engine can analyze the connections between accounts, allowing it to detect suspicious patterns in the data, even if nothing about the individual account looks suspicious. This is analogous to how a human can understand that the patterns in the dots represent specific objects, even if the individual dots come in different colors and shapes.

Benefits

Detect Attacks Without Labels or Training Data

The DataVisor UML Engine works without labels or training data, allowing it to detect new, previously unknown attacks, as well as automatically adapt to changes to existing attacks.

Stop Attacks Before They Happen

The DataVisor UML Engine can detect sleeper cells in the incubation stage, before they do damage, by uncovering suspicious connections between the accounts.

Catch the Entire Crime Ring

The DataVisor UML Engine is uniquely and inherently capable of capturing entire crime rings at once because it has a global view across all accounts and can discover the hidden attack patterns between malicious accounts.

Architecture

The DataVisor UML Engine is a core component of the DataVisor Detection Solution, and works in concert with the Supervised Machine Learning Module, the Automated Rules Engine and the Global Intelligence Network.